Use of the Internet for business, financial, and other commercial activities has greatly expanded in recent years. These activities often involve the exchange of confidential and sensitive information via the Internet between a server and a client. Due to the sensitive nature of the information being exchanged, electronic transactions between the server—e.g., an application running on the server of a business entity—and the client—e.g., an application running on the computer of an individual—are preferably conducted over a secure connection between the server and client.
Computer networks often implement a Secure Socket Layer (SSL) protocol to provide secure connections between clients and servers. See Secure Socket Layer Protocol, Version 3.0, November 1996. The SSL protocol provides an interface between TCP/IP and higher level protocols, such as HTTP. The SSL protocol further defines an SSL handshake protocol for establishing an encrypted SSL connection between a client and server. The SSL handshake protocol provides authentication of the server to the client, selection of a cryptographic algorithm or cipher that both client and server support, optional authentication of the client to the server, and public-key encryption.
As noted above, the SSL handshake protocol utilizes public-key encryption techniques in establishing a secure connection between a client and server, such public-key encryption techniques being well known in the art. Generally, public-key encryption utilizes a public key and an associated private key—or key pair—in conjunction with a certificate. Data encrypted with a public key can be decrypted only with the corresponding private key and, similarly, data encrypted with the private key can be decrypted only with the mating public key. Key pairs are utilized during the initial SSL handshake process to establish a secure, encrypted connection between a client and server, each of which may have a unique key pair (and certificate).
A certificate is an electronic document that identifies an individual or entity and associates the identified individual or entity with a public key. See, e.g., International Telecommunications Union—Telecommunication Standardization Sector (ITU-T) X.509, Information Technology—Open Systems Interconnection—The Directory: Public Key and Attribute Certificate Frameworks, March 2000. A certificate is typically obtained from a certificate authority (CA). A CA is an entity that validates the identity of individuals or entities and issues certificates. An issued certificate binds a particular public key to the name (individual or entity) identified by the certificate, and only that public key will function with the corresponding private key possessed by the individual or entity identified by the certificate.
To facilitate Internet-based transactions with their customers, businesses and other entities commonly host a website. For many businesses—as well as for many educational institutions, non-profit institutions, and individuals—it is not cost-effective to manage a server (or, in most instances, a server cluster) and the associated software necessary to maintain a website. Rather, these businesses utilize an Internet Service Provider (ISP) or other service provider to host their website. An ISP may manage the website for each of hundreds of subscribers.
An ISP will typically implement the SSL protocol and public-key encryption (or their equivalents) to provide secure client-server connections and to insure secure Internet-based transactions for their subscribers. To provide this service, the ISP may regularly request certificates for its subscribers (or a subscriber may itself request a certificate). To request a certificate, the ISP will generate a key pair and an associated certificate signing request (CSR), and the CSR is transmitted to the CA. The CA will process the CSR and return a signed certificate (i.e., a certificate including the CA's digital signature). The ISP must then match the signed certificate with the corresponding CSR and key pair used to request the certificate. Once the matching CSR is identified, the signed certificate can be imported to the appropriate subscriber's website.
Presently, a signed certificate received from a CA is manually associated with its mating CSR and key pair. As noted above, however, an ISP may have hundreds of subscribers, and the number of businesses maintaining a presence on the Internet is expected to increase. The next-generation of tools for managing certificates and key pairs will be expected to support thousands of certificates and key pairs. Therefore, as the number of subscribers serviced by an ISP—and, hence, the number of certificates and key pairs—grows, it is believed that the manual association of signed certificates and CSRs will becoming increasingly difficult, if not impossible. Also, there is often a significant time delay (e.g., hours, days) between transmission of a CSR and receipt of a signed certificate from a CA, increasing the difficulty of the manual association process.